Last Friday, 7
September, Wikipedia suffered what appears to be the most disruptive
Distributed Denial of Service (DDoS) attack in recent memory.

It’s not that
Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it
around 17:40 p.m. (UTC) on that day was far larger than normal and carried on
its attack for almost three days.

The site quickly
became unavailable in Europe, Africa, and the Middle East, before later slowing
or stopping for users in other parts of the world such as the US and Asia.

The size of the
attack has not been made public, although from details
offered by mitigation company ThousandEyes it’s clear that it was an
old-style volumetric flood designed to overwhelm the company’s web servers with
bogus HTTP traffic.

Given the
protection sites employ these days, this suggests that it was well into the
terabits-per-second range used to measure the largest DDoS events on the
internet.

In fact, most of
that flood would never have reached Wikipedia’s servers, instead of being
thrown away by upstream ISPs as a protective measure when it became obvious
that a DDoS was underway.

An appeals court
has told LinkedIn to back off – no more interfering with a third-party
data-analytics startup’s use of the publicly available data of LinkedIn’s
users.

The court’s decision,
which affirmed that
of a lower court, has been closely anticipated for what some legal scholars
consider to be the case’s important constitutional and economic issues, as well
as what critics believe could be a chilling effect on digital competition.

Constitutional
scholar and Harvard law professor Laurence Tribe, for one, has weighed in on
this issue to offer advice to the data-scraping startup in question, hiQ Labs.

At issue, Tribe
has said, was that social media is the modern equivalent of the public square.
He’s called LinkedIn’s attempts to stop hiQ from using its users’ publicly
available data “a serious challenge to free expression in the modern world.”

Freedom of
speech is not just about flag-burning. It’s about how you use information in
the digital economy. Data is the new form of capital in creating products and
services.

Imagine this:
you’re at a party one Saturday night and, at 1 a.m. decide to send your best
pal a picture of yourself doing a headstand wearing nothing but a pink tutu,
slamming a litre of Smithwick’s finest from a beer bong.

Unfortunately,
your best pal’s name is Sue, which also happens to be your boss’s name, and you
selected the wrong contact. Ruh-roh. That’s a quick way to sober up.

Luckily, you sent
the photo using Telegram Messenger, and you remember that it lets you delete
entire messages and the pictures they contain both from yours and the
recipient’s phone. Sue was probably asleep, so you can quickly wipe the message
and no one will be any the wiser.

Phew, no harm done.
Except for one important fact: it turns out that ‘unsend’ feature didn’t work
properly.

Telegram
introduced its ‘unsend
message‘ feature in version 3.16 back in 2017. It’s another feature in an app
that has attracted privacy advocates everywhere for its ability to cloak
communications, but security researcher Dhiraj Mishra has uncovered
a flaw.

The Android
version of Telegram stores any images received in the /Telegram/Telegram
Images/ folder. When deleting a message, you’d expect it to delete the image as
well. In fact, it left the picture intact in the folder. The recipient would
have to know to look there, of course, but if they checked, they’d be able to
see you in all your tutu-sporting, beer-bonging glory. Bang goes your
promotion.

On Monday,
Facebook gave
users a heads-up about changes coming in Android and iOS updates and how
they let you see and manage your location data, how apps track you, and how
Facebook’s use of your location data fits into all of it.

The post explains
how Facebook’s app collects and uses background location data from smartphones:
“background,” as in, when you’re not actually using the app.

You can see why
Facebook might want to get its location data story out there now, in front of Apple’s
release of iOS 13, which is expected in just a few days, on 19 September.
(Android 10 was already
publicly released – at least for Pixel devices – on 3 September.)

Facebook’s is,
after all, one of the apps whose snail-slime trails of users’ location data iOS
13 is going to depict in maps.

From Facebook’s
newsroom post:

If you are
using iOS 13, you will begin to receive notifications about when an app is
using your precise location in the background and how many times an app has
accessed that information. The notification will also include a map of the
location data an app has received and an explanation why the app uses that type
of location information.

Craig Federighi,
Apple’s senior vice president of software engineering, said at the time that
sharing your location data with a third-party app can “really enable some
useful experiences,” but that “we don’t expect to have that privilege used to
track us.”

iOS 13 will show
users a map of where apps have been tracking you when requesting permission

Mozilla is about
to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop
version of the browser will soon automatically encrypt your website requests
using a feature called DNS-over-HTTPS (DoH), it said
on Friday.

DNS (short for
Domain Name System) is the service that takes a human-readable name like nakedsecurity.sophos.com
and turns it into an IP address a computer can use. (Your DNS service provider
is usually your ISP, but it doesn’t have to be. There are free and commercial
DNS services too.)

The problem is
that computers normally send DNS requests in the clear. Doing that allows an
evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or
stationed on any of the computers between you and your DNS resolver, can meddle
with your DNS. They can spy on it, to see what sites you’re visiting, or change
it, to send you somewhere else.

The Internet
Engineering Task Force (IETF) has worried
about the privacy implications of DNS for years. In 2018, it attempted to
solve them by introducing DoH.
It handles all DNS queries over the HTTPS protocol, which is protected by TLS
encryption. Not only does this encrypt DNS, but it also uses the same ports
that handle HTTPS sessions, which are different to the ports used for DNS
queries. That makes DoH requests look the same as regular HTTPS traffic and
makes it impossible for ISPs to block the use of DoH without also blocking all
web access.

The desktop
version of Firefox has provided DoH support since
Firefox 62, but it was turned off by default. Mozilla had been
experimenting with it before switching it on by default to make sure that it
didn’t break anything – such as parental control systems or the safe search
capability on some search engines, like Google.

US Immigration
and Customs Enforcement (ICE) is looking into illegal exports of a gun scope,
and its investigation includes going after Apple and Google to get them to hand
over the names of who’s using an associated gun-scope app.

The Department of
Justice (DOJ) on Thursday filed a court order demanding that the two companies
turn over data on some 10,000 users of Obsidian 4: an app from American
Technologies Network Corp. (ATN) that connects the scope to smartphones or
tablets via Wi-Fi so that gun owners can watch a live video stream of their
hunt and calibrate their smart scope.

Apple doesn’t
release app download numbers, but Google
Play says that the app’s been downloaded over 10,000 times. How many of
those installs are from actual users is another question, though, given how
many recent reviews say that they’re only downloading in protest of the
government demanding that Google and Apple hand over a list of the app’s users.

Android apps are
digitally signed by their developers. Digital signatures are created using a
private cryptographic key, and the word ‘private’ means just what it says – the
value of the signature depends on keeping the signing key private.

After all, if
someone else gets hold of your private key then they can sign their own apps
with it and pass them off as yours.

The signing key
that Facebook lost was apparently used to vouch for the Free Basics by
Facebook app. According to Artem Russakovskii, the owner of the Android
Police website and its sister site, APK Mirror, which hosts Android apps for
download, third-party apps signed with that key have appeared online.

Museums use
them to bring their paintings to life. Restaurants put
them on tables to help customers pay their bills quickly. Tesco even deployed
them in subway stations to help create virtual stores. QR codes have been
around since 1994, but their creator is worried. They need a security update,
he says.

Engineer Masahiro
Hara dreamed up the matrix-style barcode design for use in Japanese automobile
manufacturing, but, as many technologies do, it took off as people began using
it in ways he hadn’t imagined. His employer, Denso, made the design available
for free. Now, people plaster QR codes on everything from posters to login
confirmation screens.

If you thought QR
codes were just a passing marketing gimmick, think again. They’re hugely
popular in China, where people used them to make over $1.65 trillion in
payments in 2016 alone, and Hong Kong too has just
launched a QR code-based faster payments system.

The codes
generated enough interest that Apple even began supporting them natively in iOS
11’s camera app, removing the need for third-party QR scanning apps.

Hara is a little
spooked by all these new uses for a design that originally just helped with
production control in manufacturing plants. In a Tokyo interview in early
August, he reportedly said:

Now that it’s
used for payments, I feel a sense of responsibility to make it more secure.

He’s right to be
concerned. Attackers could compromise people in various ways using QR codes.

One example is
QRLjacking. Listed as
an attack vector by the Open Web Application Security Project (OWASP), this
attack is possible when someone uses a QR code as a one-time password,
displaying it on a screen. The organization warns that an attacker could clone
the QR code from a legitimate site to a phishing site and then send it to the
victim.

Google has
reportedly agreed to pay between $150 million and $200 million to resolve the
FTC’s investigation into YouTube and its allegedly illegal tracking and
targeting of kids who use the video streaming service.

In June, people
familiar with the matter told news outlets that the Federal Trade Commission
(FTC) was nearing the end of an investigation into YouTube’s alleged failure
to protect the kids who use the Google-owned service.

That was followed
by letters sent to the FTC about the matter from children’s privacy law
co-author Senator Edward Markey and two consumer privacy groups. They urged the
FTC to do
whatever it takes to figure out if YouTube has violated the law protecting
children and, if so, to make it shape up and stop it.

That “stop it”
recommendation included Markey’s request that the FTC force Google to establish
“a $100 million fund to be used to support the production of noncommercial,
high-quality and diverse content for children.”

In July, the Washington
Post was the first to report on the finalization of the settlement. Sources
familiar with the issue told the newspaper that the FTC’s investigation
concluded that Google hasn’t properly protected kids who use YouTube and has
suctioned up their data, in violation of the Children’s Online Privacy Protection Act (COPPA), which
outlaws tracking and targeting kids younger than 13.

Now, sources have
put forward a number: they told Politico
that Google has indeed agreed to pay between $150 million and $200 million to
resolve the FTC’s investigation into YouTube.

The increasingly
tense stand-off between privacy campaigners and the popular mobile payment app
Venmo has taken another turn for the worse.

The latest salvo
is an open
letter by the Electronic Frontier Foundation (EFF) and Firefox makers The
Mozilla Foundation to Dan Schulman and Bill Ready, respectively the CEO and COO
of Venmo owner, PayPal.

Their complaint
has three strands to it, the first of which is the long-running gripe that transactions
made using Venmo are still not private by default.

The second worry
is that anyone using the app can see who someone is connected to through their
friends’ list.

Together these
create the third problem – it’s likely that many Venmo users don’t realise the
privacy effect of these settings, which means they might be giving away data
about their personal habits they’d rather not. As the EFF/Mozilla letter puts
it:

It appears
that your users may assume that, like their other financial transactions, their
activity on Venmo is both private and secure.

How we got here

Founded a decade
ago, people use Venmo’s digital app wallet to send money to other users, for
example conveniently splitting restaurant bills or bar tabs. It can also be
used to buy things from participating merchants.

In practice,
Venmo is also used to pay for everything from rent and personal debts to
illegal drugs and prostitutes.

Google already
dropped hints about nation-state involvement in its announcement, but
a separate report that Windows and Android devices were also on the target
list offers a new twist to the story.

If correct, the
inclusion of Windows and Android shouldn’t be surprising – it makes sense when
targeting specific groups of people through a small group of websites to target
as many computing devices as possible so as not to miss anyone.

Of course, none
of this can currently be verified. For now, these are simply unnamed sources
talking to a few journalists, offering information that might never be
confirmed.

Indeed, the fact
that it is being taken seriously at all is partly down to the fact that the
companies involved – Google, Microsoft, Apple – seem unwilling to deny any of
it.

Launched on
Friday and viral practically right off the bat, the brand-new, AI-outfitted, deepfake
face-swapping app Zao can swap users’ photos to those of celebrities zippity
quick.

And just as fast
as greased lightning, the app got itself banned from China’s top messaging app
service, WeChat, after its meteoric rise in China’s app stores was countered by
a fierce privacy backlash.

Sina
Technology reports that on Sunday, the company behind the Zao mobile app
had posted onto Weibo – China’s Twitter-like microblogging service – an apology
and a request to please give it some time to figure out privacy issues.

How would you
prepare to rob a bank? You’d scope out the location, suss out the quietest
times, and use clothing to conceal your identity. But would you leave your
phone at home? Judging by news that surfaced last week, you probably should –
at least if it has Google’s software on it.

The Verge reports
that FBI agents issued the search and advertising giant with a warrant in
November 2018, seeking its help with a bank robbery the month before.

The robbery took
place at 9:02am on 13 October 2018 at the Great Midwest Bank in Hartland,
Wisconsin. Two robbers entered the building, one of them waving a handgun and
forcing staff to the floor. He filled a plastic bag with cash and demanded the
key to the vault. He took three drawers of cash from the vault, and then both
robbers left the building by the back door. The whole thing took just seven
minutes.

The forum for the
techie-darling comic strip XKCD was still offline on Monday afternoon after
Troy Hunt’s breach site, Have I Been Pwned, reported
on Sunday that 562,000 of the forum’s accounts had been breached sometime in
August.

A breach notice on the echochamber.me/xkcd
forums echoed Hunt’s message: portions of the forums’ phpBB user table showed
up in a cache of leaked data, it said. The forum exposed usernames, email
addresses, passwords salted and hashed using the obsolete MD5 hashing function,
and IP addresses.

To translate: MD5
is a hashing function, and it’s not a good one. For over a decade, it’s been
recognized as not producing truly random hashes and there have been far, far
better solutions for storing passwords for decades.

As Naked
Security’s Mark Stockley said back when he ditched
his Yahoo account, the final nail in the coffin was the fact that Yahoo
said, in its December 2016 mega-breach
announcement, that it was hashing passwords with MD5 (and, in some cases,
encrypted or unencrypted security questions and answers).

Was Yahoo
bolstering the not-so-random randomness of MD5 hashing by using it in the
context of a more complex “salt, hash and stretch” password storage routine,
like PBKDF2, bcrypt or scrypt?

Yahoo didn’t say
– not a good sign. So out the window went Mark’s Yahoo account.

After the privacy
hell-hole that was Windows 10 circa 2017-ish, you’re doing better, the Dutch
Data Protection Authority (DPA) told
Microsoft on Tuesday, but you still aren’t legally kosher, privacy-wise.

A very quick
recap: Users howled. Regulators scowled. Microsoft tweaked in 2017. The DPA
investigated those tweaks. The upshot of its investigation: the DPA has asked
the Irish privacy regulator – the Irish Data Protection Commission, DPC – to
re-investigate the privacy of Windows users.

What a long,
strange privacy trip it’s been

A recap with more
flesh on its bones: in 2015, Microsoft released Windows 10. From the get-go,
France’s privacy watchdog – the National Data Protection Commission (CNIL) –
had concerns about the operating system’s processing of personal data through
telemetry.

After conducting
tests, CNIL determined that there were plenty of reasons to think that
Microsoft wasn’t compliant with the French Data
Protection Act. In July 2016, it gave Microsoft three
months to fix Windows 10 security and privacy.

If so, they were
wrong. On 26 August 2019, another update was released for the four-week-old iOS
12.4 in the form of iOS
12.4.1.

Apple doesn’t
describe this as an ‘emergency’ patch – though as it addresses a serious
vulnerability, it’s hard to interpret it as being anything else.

Why the rush?
This is where it gets awkward for Apple. Version 12.4.1 closes
a jailbreaking hole, which we delved into in some detail last week.

The short
version

Originally
patched in iOS 12.3 in May 2019 after being revealed by Google Project Zero
researcher Ned Williamson as the ‘Sock Puppet’ exploit (CVE-2019-8605), the
arrival of iOS 12.4 in July inadvertently undid that fix.

A researcher
known as Pwn20wnd subsequently released a follow-up jailbreak exploit dubbed
‘unc0ver’ on 18 August 2019 which jailbroke some Apple iOS devices.

In other words,
Apple fixed the flaw, accidentally unfixed it, and with the appearance of a
jailbreak had to rush out iOS 12.4.1 to re-fix it for a second time.

“It is not
letting me vote for who I want to vote for,” a Mississippi voter said in a
video that shows him repeatedly pushing a button on an electronic
touch-screen voting machine that keeps switching his vote to another candidate.

On Tuesday
morning, the date of Mississippi’s Republican primary election for governor,
the video was posted to Twitter…

…and to Facebook
by user Sally Kate Walker, who wrote this as a caption:

Ummmm … seems
legit, Mississippi.

Walker said in a
comment that the incident happened in Oxford, Miss., in Lafayette County. A
local paper, the Clarion
Ledger, reported that as of Tuesday night, there were at least three
reports confirmed by state elections officials of voting machines in two
counties changing voters’ selections in the state’s GOP governor primary
runoff.

The machines were
switching voters’ selections from Bill Waller Jr.- a former Supreme Court Chief
justice – to Lt. Gov. Tate Reeves. Waller’s campaign told the Clarion Ledger it
also received reports of misbehaving voter machines in at least seven other
counties.

The US Department
of Justice (DOJ) on Thursday unsealed a sprawling, 252-count, 145-page federal
indictment charging 80 defendants – most of them Nigerian nationals – with
conspiring to steal millions of dollars through online frauds that targeted
businesses, the elderly and women.

Identified only
as “F.K.” in the indictment,
the Japanese woman first met the fraudster who would come to bleed her of
hundreds of thousands of dollars on an international social network for digital
pen pals.

F.K. thought she
was corresponding with a captain in the US Army captain, “Capt. Terry Garcia”,
who was stationed in Syria. Over the course of 10 months, Garcia described in
daily emails his scheme to smuggle diamonds out of the country.

F.K. borrowed
money from her sister, her ex-husband and her friends to help out her fake
boyfriend, but in the end, there were no diamonds.

She wound up
$200,000 poorer and on the verge of bankruptcy. From the federal complaint:

F.K. was and is
extremely depressed and angry about these losses. She began crying when
discussing the way that these losses have affected her.

The indictment was
unsealed after law enforcement arrested 14 defendants across the US, with
11 of those arrests taking place around Los Angeles. Two of the defendants were
already in federal custody on other charges, and one was arrested earlier last
week. The hunt is still on for most of the remaining defendants, who are
believed to be abroad – mostly in Nigeria.

It’s official:
Android 10, the next version of the Android operating system, ships 3 September
2019. Well, it’s semi-official, at least.

Mobile site
PhoneArena reports
that Google’s customer support staff let the date slip to a reader during a
text conversation. Expect the operating system, also known as Android Q, to hit
Google’s Pixel phones first before rolling out to other models. It will include
a range of privacy and security improvements that should keep Android users a
little safer.

Privacy
features

Some of the most
important privacy upgrades are those that stop applications and advertisers
knowing more about your phone. Android 10 will now make apps transmit a
randomised MAC address (this is a unique identifier for the network hardware in
your phone) and also requires extra permissions to access the phone’s
International Mobile Equipment Identity (IMEI) and serial numbers, both of
which uniquely identify the device.

Google has also
taken steps to protect information about how you interact with your contacts.
When you grant an app access to your contacts, Android will no longer provide
it with ‘affinity information’, which orders your contact data according to who
you interact with most. Mark that one in the “wait, what? It did that?” file.

One of the other
significant privacy enhancements is control over how an app accesses a phone’s
location. A new dialog will let users choose whether apps can access location
at all times, or only when running in the foreground. Google is playing
catch-up here, as iOS already does this.

More than half of
social media logins are fraudulent, according to a new report.

Specifically, 53%
of social media logins are fraudulent, and 25% of all new account applications
on social media are also coming from scammers, according to the Arkose Labs Q3
Fraud and Abuse report.

Of course, there
are plenty of good reasons to care about the fakery that saturates social
media, given that the fraudulent activity is focused on stealing data and
squeezing us all for money. Large-scale bots are behind most of these
transactions, launching attacks on social media platforms with the goal of
“disseminating spam, stealing information, spreading social propaganda and
executing social engineering campaigns targeting trusting consumers,” according
to a media
release from Arkose.

Arkose looked at
fraud across the internet, but with specific regards to social media fraud, the
activity took on a host of different forms: account hijackings, fraudulent
account creation, and spam and abuse were among them. It found that more than
75% of attacks on social media are coming from automated bots.

Social media was
distinct among the industries Arkose analyzed: account hijackings were more
common, with logins twice as likely to be attacked than account registrations,
the report found. Arkose says that the account takeovers are being done by
attackers looking to harvest valuable personal data from the accounts of
legitimate users.

We’ve often
written about how these account takeovers manifest and what they’re after: In
November 2018, for example, Facebook said that the US Department of Justice
(DOJ) had recently discovered an alleged IS supporter warning others that it’s
gotten tougher to push propaganda on the platform, and thus was suggesting that
fellow propagandists try
to take over legitimate social media accounts that had been hijacked: to
act like wolves pulling on sheepskins in order to escape from Facebook’s
notice, as it were.

Source code
management site GitHub is the latest company
to support WebAuthn – a new standard that makes logging
into online services using a browser more secure.

WebAuthn is short
for Web Authentication and it’s a protocol that lets you log into an online
service by using a digital key. It’s a core part of FIDO2, a secure login protocol
from the FIDO Alliance, which
encourages industry support for these secure login standards.

GitHub, which
Microsoft bought
for $7.5bn last year, has been doing its best to secure peoples’ accounts
with more secure logins for a while now. Back in 2013, it announced
support for two-factor authentication (2FA) via SMS text messages and 2FA
apps on a mobile phone. Then, in October 2015, it launched support for
universal second factor (U2F) authentication. This was a FIDO specification
that allowed the use of a hardware key as a 2FA mechanism.

WebAuthn
supersedes U2F and offers everything the older standard did along with some
additional benefits:

It upgrades GitHub’s 2FA support to
the latest industry standard. The World Wide Web Consortium (W3C), which
oversees many of the standards that make up the web, approved
WebAuthn as an official standard in March 2019.

While you can use a third-party
hardware security key to use WebAuthn, in many cases you don’t need to.
You can also use a digital key stored on your phone instead, turning the
phone itself into your hardware key.

WebAuthn can be a primary access
factor. U2F still needed a password to gain access, meaning that it could
only ever be a second factor in your login process. The U2F-based physical
key effectively said “yes, the person entering that password is legit,
because I am in their possession”.

Wooo, fancy – a
guy who phished more than 100 companies out of nearly £1m (around $1.1m) in
cryptocurrency used some of that money to sit his butt down in a first-class
carriage on the train. That’s how
they caught him, actually – with “his fingers on the keyboard” as he was
logging in to a dark web account on a train between Wales and London back in
September 2017.

Flash forward two
years, and Wooo-HOOOOO, it’s payback time!

As in, literal
payback. London’s Metropolitan
Police announced on Friday that Grant West, who was 25 when police arrested
him on that train and who is now 27, has not only been jailed for fraud after
carrying out attacks on more than 100 major brands worldwide, including Apple,
Uber, Sainsbury’s, Groupon, T-Mobile, Ladbrokes, Vitality, the British
Cardiovascular Society and the Finnish Bitcoin exchange.

He’s also been
ordered to pay back the money he ripped off.

Goodbye,
cryptocurrency: when Southwark Crown Court gave West ten years and eight months
jail time, the judge also said that his ill-gotten loot would be sold and that
the victims will receive compensation.

I therefore
order a confiscation of that amount, £915,305.77, to be paid as a way of
compensation to the losers.

Some of it’s
frozen and being held by the FBI, and all of it’s fluctuating madly, as
cryptocurrencies do, which has made it tough to figure out exactly how much to
give victims.

West has to agree
to release the funds from his accounts, but there’s not much of a choice there:
he’d be looking at four additional years in jail if he were to refuse, the
judge said.

West did, in
fact, agree to give up the money, which reportedly included ethereum, bitcoin
and other cryptocurrencies. Unfortunately, victims won’t be able to claw back
the money West blew on his fancy travel: besides his first-class train habits,
he also blew the money on holidays, food, shopping and household goods.

When cybercrooks
first got into phishing in a big way, they went straight to where they figured
the money was: your bank account.

A few years ago,
we used to see a daily slew of bogus emails warning us of banking problems at
financial institutions we’d never even heard of, let alone done business with,
so the bulk of phishing attacks stood out from a mile away.

Back then,
phishing was a real nuisance, but even a little bit of caution went an
enormously long way.

That’s the era
that gave rise to the advice to look for bad spelling, poor grammar, incorrect
wording and weird-looking web sites.

Make no
mistake, that advice is still valid. The crooks still frequently make mistakes
that give them away, so make sure you take advantage of their blunders to catch
them out. It’s bad enough to get phished at all, but to realise afterwards that
you failed to notice that you’d “logged into” the Firrst Bank of Texass or the Royall
Candanian Biulding Sociteye by mistake – well, that would just add insult to
injury.

These days,
you’re almost certainly still seeing phishing attacks that are after your
banking passwords, but we’re ready to wager that you get just as many, and
probably more, phoney emails that are after passwords for other types of
account.

Email accounts
are super-useful to crooks these days, for the rather obvious reason that your
email address is the place that many of your other online services use for
their “account recovery” functions.

Who are you going
to believe: screen sweetheart Julia Roberts or Instagram chief Adam Mosseri
himself?

Roberts and a
host of other celebrities have unfortunately fallen for an Instagram version of
the Facebook
chain letter hoax. After making the rounds on Facebook, it spread to
Instagram, bleating all the way with its legalistic, poorly written and
puzzlyingly punctuated load of horsefeathers about a purported privacy policy
change taking place “tomorrow!”

The hoax would
have us all believe that Instagram is planning to tweak its privacy policy to
let old messages and private photos be used in court cases against its users.

This is described
as a default credentials flaw which could allow an attacker to log into the
command line interface using the SCP user account giving them “full read and
write access to the system’s database.”

Employees at
Portland Public Schools were breathing easier this week after thwarting a
business email compromise (BEC) scam that could have cost them almost $3m.

BEC is a sneaky
form of attack in which a criminal impersonating a third party convinces
someone at an organization to wire them money. The crook targets someone with
control of the purse strings and uses what looks at first glance like a
legitimate account owned by a supplier or business partner.

Sometimes, a BEC
scammer might compromise the email account of a senior executive at the target
company, or at their supplier, to get a better idea of how they communicate.
They could even send an email directly from that account to someone with access
to company funds. Sometimes, though, they can spoof an email and request the
funds without hacking anything, relying entirely on social engineering.

Who, you may ask,
would fall for such a thing? Lots of people apparently, including two
employees at Portland Public Schools. A fraudster contacted them pretending
to be from one of the institution’s construction contractors, asking them to
send payment to an account. Of course, the request was illicit, and the account
illegitimate. Nevertheless, the employees approved the payments, sending $2.9
million into the ether.

Luckily, Portland
Schools moved quickly to stop the transaction. In a letter to employees and
schools, superintendent Guadalupe Guerrero said that the banks involved froze
the fraudulent funds, adding:

PPS has
already begun the process to recover and fully return funds back to the
district, likely within the next several days.

Guerrero didn’t
reveal how Portland Public Schools found the fraud, but the institution acted
quickly after it did. It immediately contacted the FBI and Portland Police,
along with the Board of Education.

Microsoft has
(once again) joined the “our contractors are listening to your audio clips”
club: up until a few months ago, your Xbox may have been listening to you and
passing those clips on to human contractors, Vice’s
Motherboard reported on Wednesday.

Like all the
other revelations about tech giants getting their contractors and employees to
listen in to voice assistant recordings – they’ve been coming at a steady clip
since April – the purpose is once again to improve a device’s voice
recognition.

Another
similarity to earlier voice assistant news: Xbox audio is supposed to be
captured following a voice command, such as “Xbox” or “Hey Cortana,” but
contractors told Motherboard that the recordings are sometimes triggered and
recorded by mistake. That’s the same thing that’s been happening with Siri: as
we found out in July, Apple’s voice assistant is getting
triggered accidentally by ambient sounds similar to its wake words, “Hey,
Siri,” including the
noise of a zipper.

This is
Microsoft’s second eavesdropping headline this month: a few weeks ago we
reported that humans listen
to Skype calls made using the app’s translation function, as well as to
clips recorded by Microsoft’s Cortana virtual assistant.

Can anybody
NOT hear me?

Also earlier this
month, thanks to whistleblowers who were disturbed by the ethical
ramifications, we found out that Facebook has been collecting some voice
chats on Messenger and paying contractors to listen to and transcribe them.

They were all
doing it: Facebook, Google, Apple, Microsoft and Amazon.

We wanted a Clear
History button. We wanted the ability to wipe out the data Facebook has on us –
to nuke it to kingdom come. We wanted this many moons ago, and that’s kind of,
sort of what Facebook
promised us, in May 2018, that we’d be getting – within a “few months.”

Well, it’s 15
months later, and we’re finally getting what Facebook promised: not the ability
to nuke all that tracking data to kingdom come, which it never actually
intended to create, but rather the ability to “disconnect” data from an
individual user’s account.

The browsing
history data that Facebook collects on us when we visit other sites will live
on, as it won’t be deleted from Facebook’s servers. As privacy experts have
pointed out, you won’t be able to delete that data, but you will be getting new
ways to control it.

Facebook
announced the new set of tools, which it’s calling Off-Facebook Activity
and which includes the Clear History feature, on Tuesday.

Facebook Chief
Privacy Officer of Policy Erin Egan and Director of Product Management David
Baser said in a Facebook newsroom post that the new tools should help to shed
light on all the third-party apps, sites, services, and ad platforms that track
our web activity via Facebook’s various trackers.

Those trackers
include Facebook
Pixel: a tiny but powerful snippet of code embedded on many third-party
sites that Facebook has lauded as a clever way to serve
targeted ads to people, including non-members. Another tool in Facebook’s
tracking arsenal is Login with Facebook, which many apps and services use
instead of creating their own login tools.

The Silence crew
is making a lot more noise. The Russian-speaking hacking group, which specializes
in stealing from banks, has been spreading its coverage and becoming more
sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a
report from the company last year which was the first to identify and analyses
the Silence group. You can find both reports here.

Group-IB characterizes
Silence as a young and relatively immature hacking group that draws on the
tools and techniques of others, learning from them and adapting them to its own
needs. It has been traditionally cautious, waiting an average of three months
between attacks.

That hasn’t
stopped it profiting, though. A string of heists has bought the group’s total
ill-gotten gains to $4.2m as of this month. As it evolves, the group has been
broadening its geographical reach and developing new malware to refine its
techniques, the report says.

It has also added
a new step to its hacking process: a reconnaissance mail. Since late last year,
it has started sending emails to potential targets containing a benign image or
link. This helps it update its active target list and detect any scanning
technologies that the victims use.

Then, armed with
a list of valid addresses, it sends them a malicious email. It can carry
Microsoft Office documents with malicious macros, CHM files (Compiled HTML,
often used by Microsoft’s help system) or.LNKs (a link to an executable file).
Successful exploits install the group’s malware loader, Silence.Downloader (aka
TrueBot). It has rewritten this loader to build encryption into some of the
communication protocol with the command and control (C2) server.

More recently,
the group has begun using a fileless loader called Ivoke, written in
PowerShell. Silence began using fileless techniques later than other groups,
showing that they are studying and then modifying other groups’ techniques,
Group-IB said.

A recent court
filing indicates that Facebook knew about the bug in its View As feature
that led to the 2018
data breach – a breach that would turn out to affect nearly 29 million
accounts – and that it protected its employees from repercussions of that bug,
but that it didn’t bother to warn users.

There was a class
action lawsuit – Carla
Echavarria and Derrick Walker v. Facebook, Inc. – filed
within hours of Facebook’s revelations last September that attackers had
exploited a vulnerability in its “View As” feature to steal access tokens: the
keys that allow you to stay logged into Facebook so you don’t need to re-enter
your password every time you use the app.

Reuters
reports that the lawsuit in question actually combined several legal actions,
presumably including the one filed on the same day as Facebook disclosed the
breach.

The breach

As Naked
Security’s Paul Ducklin explained
at the time, the View As feature lets you preview your profile as other
people would see it.

This is supposed
to be a security feature that helps you check whether you’re oversharing
information you meant to keep private. But crooks figured out to how to exploit
a bug (actually, a combination of three different bugs) so that when they
logged in as user X and did View As user Y, they essentially became
user Y. From Paul:

If user Y was logged
into Facebook at the time, even if they weren’t actually active on the site,
the crooks could recover the Facebook access token for user Y, potentially
giving them access to lots of data about that user.

That’s exactly
what attackers did: they took the profile details belonging to some 14 million
users, including birth dates, employers, education history, religious
preference, types of devices used, pages followed and recent searches and
location check-ins.

Netflix has identified
several denial of service (DoS) flaws in numerous implementations of HTTP/2, a
popular network protocol that underpins large parts of the web. Exploiting them
could make servers grind to a halt.

HTTP/2 is the
latest flavour of HTTP, the application protocol that manages communication
between web servers and clients. Released in 2015, HTTP/2 introduced several
improvements intended to make sessions faster and more reliable.

Updates included:

HTTP header compression. In previous HTTP versions, only the
body of a request could be compressed, even though for small web pages the
headers, which often include data such as cookies and are always sent in
text format, could be bigger than the body.

Multiplexed streams and binary
packets. This made
it easier to download multiple items in parallel, speeding up rendering of
web pages made up of many parts.

Server Push. This means the server can send across
cacheable information that the client might need later, even if it hasn’t
been requested yet.

Features like
these can help reduce latency and improve search engine rankings. The problem
is that more complexity means more opportunity for bugs.

Netflix explains
this in its writeup of the issue:

The algorithms
and mechanisms for detecting and mitigating “abnormal” behavior are
significantly more vague and left as an exercise for the implementer. From a
review of various software packages, it appears that this has led to a variety
of implementations with a variety of good ideas, but also some weaknesses.

There are eight
of those weaknesses, all with their own separate CVE number and nickname.

Security
researchers have reviewed security advisories for Apache Struts and found that
two dozen of them inaccurately listed affected versions for the open-source
development framework.

The advisories
have since been
updated to reflect vulnerabilities in an additional 61 unique versions of
Struts that were affected by at least one previously disclosed vulnerability
but left off the security advisories for those vulnerabilities.

The extensive
analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’
Cybersecurity Research Center (CyRC), which investigated 115 distinct releases
for Apache Struts and correlated those releases against 57 existing Apache
Struts Security Advisories covering 64 vulnerabilities.

Synopsys’
Tim Mackey said in a blog post on Thursday that the danger isn’t that
developers and users may have upgraded needlessly. Rather, the real danger is
that needed updates may not have happened:

While our
findings included the identification of versions that were falsely reported as
impacted in the original disclosure, the real risk for consumers of a component
is when a vulnerable version is missed in the original assessment. Given that
development teams often cache ‘known good’ versions of components in an effort
to ensure error-free compilation, under-reporting of impacted versions can have
a lasting impact on overall product security.

Case in point:
Equifax

Promptly patching
security vulnerabilities in Apache Struts is a vital task: you can ask Equifax
all about possible ramifications of failing to do so. Equifax blamed
a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for
the massive
data breach of 2017. The patch had been available for months before the
breach, it turned out, but Equifax hadn’t applied it.

Recent news
stories about mobile phone security – or, more precisely, about mobile phone insecurity
– have been more dramatic than usual.

That’s because
we’re in what you might call “the month after the week before” – last week
being when the annual Black Hat USA conference took place in Las Vegas.

A lot of detailed
cybersecurity research gets presented for the first time at that event, so the
security stories that emerge after the conference papers have been delivered
often dig a lot deeper than usual.

…of which a
whopping 7,000,000 were phones delivered with the malware
preinstalled, inadvertently bundled in along with the many free apps that
some vendors seem to think they can convince us we can’t live without.

No more stashing
your Nest security cameras in the bushes to catch burglars unaware: Google
informed users on Wednesday that it’s removing the option to turn off the
status light that indicates when your Nest camera is recording.

You can still dim
the light that shows when Google’s Nest, Dropcam, and Nest Hello cameras are on
and sending video and audio to Nest, Google said, but you can’t make it go away
on new cameras. If the camera is on, it’s going to tell people that it’s on –
with its green status light in Nest and Nest Home and the blue status light in
Dropcam – in furtherance of Google’s
newest commitment to privacy.

Google introduced
its new privacy commitment at its I/O 2019 developers conference in May, in
order to explain how its connected home devices and services work.

The setting that
enabled users to turn off the status light is being removed on all new cameras.
When the cameras’ live video is streamed from the Nest app, the status light
will blink. The update will be done over-the-air for all Nest cams: Google’s
update notice said that the company was rolling out the changes as of
Wednesday, 14 August 2019.

A UK man who DDoS-ed
police websites was caught and imprisoned after he jeered at police about the
attacks on social media.

Liam Reece Watts,
20, targeted the Greater Manchester Police (GMP) website in August 2018 and
then the Cheshire Police site in March 2019, according to ITV
News. Both of the public-facing websites were each disabled for about a
day, The
Register reported.

According to news
outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS)
attacks were done in retaliation for Watts having been convicted of calling in
bomb hoaxes just days after the 2017
Manchester Arena suicide attack left 22 people dead and 500 injured.

Watts, who was 19
at the time of the DDoS attacks, was caught after he taunted police through
Twitter. He used the handle Synic: a possible reference to SYN flood, which is a type
of DoS attack in which servers are swamped with SYN – i.e., synchronize –
messages.

Watts reportedly
wrote this in one of his tweets:

@Cheshirepolice
want to send me to prison for a bomb hoax I never did, here you f****** go,
here is what I’m guilty of.

Watts reportedly
posted that tweet while police were still investigating the first DDoS attack
on the GMP site in 2018, and before he unleashed the March 2019 attack on the
Cheshire Police site.

He reportedly
admitted to carrying out the attack after police searched his home.